OpenID Economics Centers on Relying Parties

Tim Bray has written a post saying that OpenID
seems pretty useless and then points out some problems and
possible solutions. The ironic
thing is I can't argue with many of his points, but come to a very
different conclusion.

I don't intend to respond point by point. He's spot on, for example,
in what he says about TLS. While the OpenID spec tries to stay away
from specific authentication mechanisms and has been subjected to
considerable security analysis over the months, there's not reason
not to require HTTP transport happen over TLS. In practice, however,
I doubt any serious OpenID identity providers (IdPs) wouldn't use
TLS.

That leads to the primary point. While it's true that anyone can
throw up an OpenID server and start offering IdP services (Tim's
"what's it mean" point), I think we'll see a limited set of trusted
IdPs in practice. After all, AOL offers it now. If a few more of
the big players offered with their services (come on, Yahoo! and
Google), everyone on the 'Net would have an OpenID from a trustworthy
IdP.

A few big players would be sufficient since what OpenID provides is
authentication. Simple, plain-old authentication. When you accept
an OpenID as a relying party, all you know is that the IdP is saying
that the person in control of the password for that OpenID entered at
their site. So, as long as you trust the IdP to verify the
identity of the user, that's all you need.

What's the value? Just that. I don't have to do authentication and
mess with password reset, and so on. If I were building a Web
applications today, I'd certainly allow OpenID authentication and
might even consider only accepting OpenID. There's not much
time savings at build time, but it cuts the operational complexity.
You still have to associate attributes with that identity and build
authorizations around it.

OpenID 1.0 doesn't include attribute exchange, but OpenID 2.0 does.
With attribute exchange, I might start caring which OpenID
provider someone uses even more. Amazon might be able to send me
attributes (with the user's permission) that Google can't. As a
relying party, I might get more picky based on what I need to know.

Much of the talk is about user convenience and "single sign-on" (SSO)
but that's not what will drive OpenID acceptance and use. For that
to happen relying parties have to see value in (a) account management
simplicity and (b) attribute exchange. The first is a reality
today, the second will come.

With attribute exchange, some niche OpenID providers are likely to
spin up based on specific attributes or features. But wait, if I've
got multiple OpenIDs and IdPs, doesn't the negate the SSO value?
Yes, but for the announcement that OpenID will interoperate with
CardSpace. Now, I can have multiple OpenIDs and manage them in my
card selector from my desktop, choosing which to send based on what I
want to reveal and what the replying party needs.

So, I don't think OpenID is useless. To the contrary, I think
there's real value to relying parties now and more to come.